Wednesday 24 October 2007

Moneyspyder, Evolution and PCI DSS compliance

Moneyspyder has always considered safety and security as our highest priorities - a veritable security sieve of a site may convert fantastically well initially but it is still a security sieve and as customers get to know and understand this, their lack of trust will surely erode conversion to dust.

So, being thought leaders in e-commerce, shortly after our inception as a company we embarked on a mission to attain PCI DSS compliance - as described on WikiPedia:

PCI is considered one of the more comprehensive data security standards in a cluster of regulations that have emerged over the past decade; Basel II, Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability Act (HIPAA), Sarbanes-Oxley Act of 2002, California State Bulletin 1386. PCI is regarded as being relatively more prescriptive than these other laws.

Having identified a partner who specialised in, amongst other areas of IT security, PCI DSS compliance we worked closely with Evolution to understand what PCI compliance would mean to us, our clients and their customers and how to achieve the required standards to qualify.

Joining forces with Evolution and Engine Yard, Moneyspyder was ratified as PCI DSS compliant in July 2007. We are delighted with the strength and reliability of the collective solution we offer to our clients and can highly recommend working with Evolution in the arena of security and PCI DSS compliance.

Matthew Tyler, PCI Practice Manager with Evolution Group:

"As a QSA it is Evolution’s role to assist our customers in attaining and maintaining Compliance to the Payment Card Industry Data Security Standards (PCI DSS).

The PCI DSS is the most rigorous and most detailed compliance standard currently in any industry and the attainment of compliance to this standard takes both a commitment from the stakeholders in the business as well as, in most cases, a vast amount of work.

As PCI Practice Manager, I am extremely pleased that we have ratified MoneySpyder as a fully PCI DSS compliant organisation and were extremely impressed with the technical knowledge within their organisation and their willingness to adopt change. They have attained PCI DSS corporate compliance in the shortest possible time and this is solely due to their commitment to their customers and their skill sets.


Jatinder Singh said...

For one of the application(who is also on Engine Yard), we are trying to implement subscription based billing module. we decided that for flexibility it would be best to have our own subscription syste instead of using recurring services of other payment gateways.

Critical thing to take care of, is storage of credit card info.
You have mentioned Evolution, so is that a 3rd party which stores credit card info and have an API for you to access that info or do they help achieve PCI DSS standard by implementing required standards on EY servers?

The alternative we are considering is to use Trust Commerce Citadel service to store cc# info on their servers and then have our own subscription system. any thoughts?

Anonymous said...

I think PCI DSS and Penetration Testing are all important ! And thank you to give so good idea!